search

Consensys / tessera

Tessera - Enterprise Implementation of Quorum's transaction manager
https://docs.tessera.consensys.net/
Apache License 2.0
177 stars 107 forks source link

Support ED or EC-based x509 certificates #1406

Open tsujp opened 2 years ago

tsujp commented 2 years ago

I have been playing around with configuring Tessera for TLS and through my experiments I cannot see it supporting anything other than RSA x509 certificates. This is less than ideal because RSA has huge key lengths (which become a problem when automation is involved due to character length limits) when compared to say ED25519 or P256-1 keys.

I've included the Bash script I made when doing the testing, followed by the Tessera configuration. When using ED25519 I get errors about signing algorithm, similarly to P256-1.

Bash script self-signed x509 certificates

#!/usr/bin/env bash

main ()
{
  local -r certificate_life='30'
  local -r certificate_ip='10.0.1.5'

  # Root CA private key.                                        !! COMMENT THESE AS APPROPRIATE OUT TO SEE !!
  openssl genrsa -out root_ca_secret.key 4096
  # openssl genpkey -algorithm ED25519 -out root_ca_secret.key
  # openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -out root_ca_secret.key

  # Root certificate from root key.
  openssl req \
    -x509 \
    -new \
    -nodes \
    -sha512 \
    -days "$certificate_life" \
    -subj "/C=US/OU=Foo/CN=Foo CA" \
    -key root_ca_secret.key \
    -out root_ca_cert.crt

  # Client's private key.                                     !! COMMENT THESE AS APPROPRIATE OUT TO SEE !!
  openssl genrsa -out client_secret.key 4096
  # openssl genpkey -algorithm ED25519 -out client_secret.key
  # openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -out client_secret.key

  # Client CSR.
  openssl req \
    -new \
    -subj "/C=US/OU=Foo/CN=Foo Bar" \
    -addext "subjectAltName=IP:$certificate_ip" \
    -key client_secret.key \
    -out client.csr

  tee san.ext > /dev/null << END
subjectAltName=IP:$certificate_ip
keyUsage=digitalSignature,keyAgreement
extendedKeyUsage=serverAuth,clientAuth
END

  # Sign the CSR.
  openssl x509 \
    -req \
    -in client.csr \
    -CA root_ca_cert.crt \
    -CAkey root_ca_secret.key \
    -CAcreateserial \
    -out client.crt \
    -days "$certificate_life" \
    -extfile san.ext

  # Validate client certificate.
  openssl verify -CAfile root_ca_cert.pem client.crt

  # Cleanup.
  rm -f client.csr
}

main

Tessera P2P configuration for the above x509 certificates

{
    "app": "P2P",
    "enabled": true,
    "communicationType": "REST",
    "serverAddress": "https://10.0.1.5:9000",
    "sslConfig": {
        "tls": "STRICT",
        "communicationType": "REST",
        "generateKeyStoreIfNotExisted": false,
        "serverTrustMode": "CA",
        "serverTlsKeyPath": "/path/to/client_secret.key",
        "serverTlsCertificatePath": "/path/to/client.crt",
        "serverTrustCertificates": [ "/path/to/root_ca_cert.crt" ],
        "clientTrustMode": "CA",
        "clientTlsKeyPath": "/path/to/client_secret.key",
        "clientTlsCertificatePath": "/path/to/client.crt",
        "clientTrustCertificates": [ "/path/to/root_ca_cert.crt" ]
    }
}
namtruong commented 2 years ago

Hi,

Thanks for raising this. Yes Tessera uses RSA algorithm by default when loading the certificates.

Originally at the beginning the ssl config was made to mainly accommodate certs being stored in java keystores format and I'm not sure if Ed25519 was supported by older versions of java at the time.

We'll see if this can be made configurable and will keep you updated.